cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

556
Views
0
Helpful
1
Replies
Highlighted
Beginner

CSS11503 to ACE4710 and server side NAT

Hello everyone,

We have a CSS11503 that is currently being used to accept incoming HTTPS and SSH connections on a specific VIP and then PAT those client connections.  I understand that it also PATs the server initiated connections.

!*************************** GLOBAL ***************************

  acl enable

  cdp run

  prelogin-banner "prelogin.txt"

  virtual authentication primary tacacs

  virtual authentication secondary local

  sshd version v2

  restrict ftp

  snmp trap-type enterprise

  snmp name XXXXX

  ip route 0.0.0.0 0.0.0.0 xxx.xxx.68.97 1

!************************* INTERFACE *************************

interface  1/1

  bridge vlan 300

interface  1/2

  trunk

  vlan 301

  vlan 302

!************************** CIRCUIT **************************

circuit VLAN300

  ip address xxx.xxx.68.103 255.255.255.240

circuit VLAN301

  ip address 10.yyy.yyy.33 255.255.255.224

circuit VLAN302

  ip address 10.yyy.yyy.1 255.255.255.224

!************************** SERVICE **************************

service out-any-infra

  ip address 10.yyy.yyy.34 range 14

  active

service out-any-vsuiteA

  ip address 10.yyy.yyy.2 range 30

  active

service ssh-vsuiteA

  protocol tcp

  port 22

  ip address 10.yyy.yyy.6

  active

service vsuiteFrontEnd-A

  ip address 10.yyy.yyy.3

  active

!*************************** OWNER ***************************

owner vsuiteA

  billing-info "virtual suite A"

  content rule-vsuiteFrontEnd-A

    vip address xxx.xxx.68.101

    port 443

    protocol tcp

    add service vsuiteFrontEnd-A

    flow-timeout-multiplier 400

    active

  content rule-vsuiteSsh-A

    vip address xxx.xxx.68.101

    port 22

    protocol tcp

    add service ssh-vsuiteA

    flow-timeout-multiplier 400

    active

!*************************** GROUP ***************************

group outgroup-infra

  vip address xxx.xxx.68.102

  add service out-any-infra

  active

group outgroup-vsuiteA

  vip address xxx.xxx.68.101

  add service out-any-vsuiteA

  add destination service vsuiteFrontEnd-A

  active

!**************************** ACL ****************************

acl 10

  clause 10 permit any any destination xxx.xxx.68.101

  apply circuit-(VLAN300)

acl 20

  clause 10 permit any any destination any

  apply circuit-(VLAN302)

  apply circuit-(VLAN301)

acl 30

  clause 10 permit any any destination any

I converted the configuration using the CCS-to-ACE configuration tool, added lines for logging, and switched over to it.  Now, the server initiated traffic is apparently not having the PAT applied.  The "range" portion of the "ip address 10.yyy.yyy.34 range 14" and "ip address 10.yyy.yyy.2 range 30" didn't translate, so I can add those ranges as rservers in the ACE4710.

Here is the current "in progress" configuration for the ACE4710.  Please note the we currently have only one server for incoming connections for testing purposes.  After I add the remaining rservers for the ranges, will this be an equivaqlent configuration to the CSS11503 configuration above?

Configuration commands for Admin context:

-----------------------------------------

resource-class RC1

  limit-resource sticky minimum 10 maximum unlimited

context Admin

  member RC1

logging enable

logging timestamp

logging trap 5

logging history 5

logging buffered 5

logging persistent 5

logging monitor 5

logging queue 5000

hostname ACE4710

interface gigabitEthernet 1/1

  switchport access vlan 300

  no shutdown

interface gigabitEthernet 1/2

  switchport trunk allowed vlan 301,302

  no shutdown

interface gigabitEthernet 1/3

  shutdown

interface gigabitEthernet 1/4

  shutdown

Configuration commands for Admin context:

-----------------------------------------

access-list ACL_10 extended permit ip any xxx.xxx.68.101 255.255.255.255

access-list ACL_10 extended permit icmp any xxx.xxx.68.101 255.255.255.255

access-list ACL_30 extended permit ip any any

access-list ACL_30 extended permit icmp any any

access-list ACL_20 extended permit ip any any

access-list ACL_20 extended permit icmp any any

ip route 0.0.0.0 0.0.0.0 xxx.xxx.68.97

probe icmp SERVICE_ICMP_PROBE

  interval 5

  passdetect interval 5

rserver host out-any-infra

  inservice

  ip address 10.yyy.yyy.34

  probe SERVICE_ICMP_PROBE

rserver host out-any-vsuiteA

  inservice

  ip address 10.yyy.yyy.2

  probe SERVICE_ICMP_PROBE

rserver host ssh-vsuiteA

  inservice

  ip address 10.yyy.yyy.6

  probe SERVICE_ICMP_PROBE

rserver host vsuiteFrontEnd-A

  inservice

  ip address 10.yyy.yyy.3

  probe SERVICE_ICMP_PROBE

serverfarm host rule-vsuiteFrontEnd-A

  probe SERVICE_ICMP_PROBE

  rserver vsuiteFrontEnd-A

    inservice

serverfarm host rule-vsuiteSsh-A

  probe SERVICE_ICMP_PROBE

  rserver ssh-vsuiteA 22

    inservice

parameter-map type http CASE_PARAM

  case-insensitive

parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM

  set timeout inactivity 6400

parameter-map type connection rule-vsuiteSsh-A_CONN_PARAM

  set timeout inactivity 6400

class-map type management match-any TO-CP-POLICY

  match protocol icmp any

  match protocol telnet any

  match protocol snmp any

  match protocol ssh any

class-map match-all rule-vsuiteFrontEnd-A_CLASS

  match virtual-address xxx.xxx.68.101 tcp eq 443

class-map match-all rule-vsuiteSsh-A_CLASS

  match virtual-address xxx.xxx.68.101 tcp eq 22

class-map match-any outgroup-infra_CLASS

  match source-address 10.yyy.yyy.34 255.255.255.255

class-map match-any outgroup-vsuiteA_CLASS

  match source-address 10.yyy.yyy.2 255.255.255.255

policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY

  class class-default

    serverfarm rule-vsuiteFrontEnd-A

policy-map type loadbalance first-match rule-vsuiteSsh-A_POLICY

  class class-default

    serverfarm rule-vsuiteSsh-A

policy-map multi-match POLICY

  class rule-vsuiteFrontEnd-A_CLASS

    connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM

    loadbalance vip inservice

    loadbalance vip icmp-reply active

    loadbalance policy rule-vsuiteFrontEnd-A_POLICY

    nat dynamic 2 vlan 302

  class rule-vsuiteSsh-A_CLASS

    connection advanced-options rule-vsuiteSsh-A_CONN_PARAM

    loadbalance vip inservice

    loadbalance vip icmp-reply active

    loadbalance policy rule-vsuiteSsh-A_POLICY

  class outgroup-infra_CLASS

    nat dynamic 1 vlan 300

  class outgroup-vsuiteA_CLASS

    nat dynamic 2 vlan 302

service-policy input POLICY

interface vlan 302

  ip address 10.yyy.yyy.1 255.255.255.224

  access-group input ACL_20

  nat-pool 2 xxx.xxx.68.101 xxx.xxx.68.101 pat

  no shutdown

interface vlan 300

  ip address xxx.xxx.68.103 255.255.255.240

  access-group input ACL_10

  nat-pool 1 xxx.xxx.68.102 xxx.xxx.68.102 pat

  no shutdown

interface vlan 301

  ip address 10.yyy.yyy.33 255.255.255.224

  access-group input ACL_20

  no shutdown

Everyone's tags (5)
1 REPLY 1
Enthusiast

CSS11503 to ACE4710 and server side NAT

Question: Here is the current "in progress" configuration for the ACE4710.  Please note the we currently have only one server for incoming connections for testing purposes.  After I add the remaining rservers for the ranges, will this be an equivaqlent configuration to the CSS11503 configuration above?

You need to do two things.

1) Add the remaining rservers for the ranges.

2) Put them in serverfarm.

For example :

rserver host vsuiteFrontEnd-B

  inservice

  ip address 10.yyy.yyy.4

  probe SERVICE_ICMP_PROBE

serverfarm host rule-vsuiteFrontEnd-A

  probe SERVICE_ICMP_PROBE

  rserver vsuiteFrontEnd-A

    inservice

  rserver vsuiteFrontEnd-B

    inservice

That should help you to achieve your desired result.

Hope that helps.

regards,

Ajay Kumar

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here